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Abstract 

In joint work with Peter O 'Hearn and others, based on 
early ideas of Burstall, we have developed an extension of 
Hoare logic that permits reasoning about low-level impera- 
tive programs that use shared mutable data structure. 

The simple imperative programming language is ex- 
tended with commands ( not expressions) for accessing and 
modifying shared structures, and for explicit allocation and 
deallocation of storage. Assertions are extended by intro- 
ducing a "separating conjunction " that asserts that its sub- 
formulas hold for disjoint parts of the heap, and a closely 
related "separating implication ". Coupled with the induc- 
tive definition of predicates on abstract data structures, this 
extension permits the concise and flexible description of 
structures with controlled sharing. 

In this paper, we will survey the current development of 
this program logic, including extensions that permit unre- 
stricted address arithmetic, dynamically allocated arrays, 
and recursive procedures. We will also discuss promising 
future directions. 



1. Introduction 

The use of shared mutable data structures, i.e., of struc- 
tures where an updatable field can be referenced from more 
than one point, is widespread in areas as diverse as systems 
programming and artificial intelligence. Approaches to rea- 
soning about this technique have been studied for three 
decades, but the result has been methods that suffer from ei- 
ther limited applicability or extreme complexity, and scale 
poorly to programs of even moderate size. (A partial bibli- 
ography is given in Reference [28].) 

The problem faced by these approaches is that the cor- 
rectness of a program that mutates data structures usually 
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depends upon complex restrictions on the sharing in these 
structures. To illustrate this problem, and our approach to 
its solution, consider a simple example. The following pro- 
gram performs an in-place reversal of a list: 

j := nil ; while i ^ nil do 

(k:=[i + l];[i+l]:=j;j:=i;i:=k). 

(Here the notation [e] denotes the contents of the storage at 
address e.) 

The invariant of this program must state that i and j are 
lists representing two sequences a and (3 such that the re- 
flection of the initial value an can be obtained by concate- 
nating the reflection of a onto (3: 

3a, (3. list a i A list /? j A a\ = a^-(3, 

where the predicate list a i is defined by induction on the 
length of a: 

list e i = f i = nil list(a-a) i = f 3j. i ^ — > a,j A list a j 

(and <—> can be read as "points to"). 

Unfortunately, however, this is not enough, since the pro- 
gram will malfunction if there is any sharing between the 
lists i and j. To prohibit this we must extend the invariant to 
assert that only nil is reachable from both i and j: 

(3a, 13. list a i A list /? j A aj = a)-0) | 
A (Vk. reach(i, k) A reach(j, k) =>■ k = nil), 

where 

reach(ij) = f 3n > 0. reach„(i,j) 

reach 0 (i,j) =' i = j 

reach„ + i(i, j) = f 3a, k. i <—> a, k A reach„(k, j). 

Even worse, suppose there is some other list x, repre- 
senting a sequence 7, that is not supposed to be affected by 



the execution of our program. Then it must not share with 
either i or j, so that the invariant becomes 

(3a, (3. list a i A list f3] A a\ = c^-f3) A list 7 x 
A (Vk. reach(i, k) A reach(j, k) =>• k = nil) ^ 
A (Vk. reach(x, k) A (reach(i, k) V reach(j, k)) 

=> k = nil). 

Even in this trivial situation, where all sharing is prohibited, 
it is evident that this form of reasoning scales poorly. 

The key to avoiding this difficulty is to introduce a novel 
logical operation P * Q, called separating conjunction (or 
sometimes independent or spatial conjunction), that asserts 
that P and Q hold for disjoint portions of the addressable 
storage. In effect, the prohibition of sharing is built into this 
operation, so that Invariant (1) can be written as 

(3a, (3. list a i * list (3 j) A a\ = a^-f3, (3) 

and Invariant (2) as 

(3a, (3. list a i * list /? j * list 7 x) A a\ = a* -(3. (4) 

In fact, one can go further: Using an inference rule called 
the "frame rule", one can infer directly that the program 
does not affect the list x from the fact that assertions such as 
(3) do not refer to this list. 

The central concept of a separating conjunction is im- 
plicit in Burstall's early idea of a "distinct nonrepeating tree 
system" [2]. In lectures in the fall of 1999, 1 described the 
concept explicitly, and embedded it in a flawed extension of 
Hoare logic [16, 17]. Soon thereafter, an intuitionistic logic 
based on this idea was discovered independently by Ishtiaq 
and O'Hearn [19] and by myself [28]. Realizing that this 
logic was an instance of the logic of bunched implications 
[23, 26], Ishtiaq and O'Hearn also introduced a separating 
implication P — * Q. 

The intuitionistic character of this logic implied a mono- 
tonicity property: that an assertion true for some portion of 
the addressable storage would remain true for any extension 
of that portion, such as might be created by later storage al- 
location. 

In their paper, however, Ishtiaq and O'Hearn also pre- 
sented a classical version of the logic that does not impose 
this monotonicity property, and can therefore be used to rea- 
son about explicit storage deallocation; they showed that 
this version is more expressive than the intuitionistic logic, 
since the latter can be translated into the classical logic. 

In both the intuitionistic and classical version of the 
logic, addresses were assumed to be disjoint from inte- 
gers, and to refer to entire records rather than particular 
fields, so that "address arithmetic" was precluded. More 
recently, I generalized the logic to permit reasoning about 
unrestricted address arithmetic, by regarding addresses as 



integers which refer to individual fields [24, 30, 29]. It is 
this form of the logic that will be described and used in 
most of the present paper. We will also describe O'Hearn's 
frame rule [24, 35, 34, 19], which permits local reasoning 
about components of programs. 

Since these logics are based on the idea that the structure 
of an assertion can describe the separation of storage into 
disjoint components, we have come to use the term sepa- 
ration logics, both for the extension of predicate calculus 
with the separation operators and the resulting extension of 
Hoare logic. A more precise name might be storage separa- 
tion logics, since it is becoming apparent that the underlying 
idea can be generalized to describe the separation of other 
kinds of resources [3, 11, 12, 9, 10]. 

2. The Programming Language 

The programming language we will use is the simple im- 
perative language originally axiomatized by Hoare [16, 17], 
extended with new commands for the manipulation of mu- 
table shared data structures: 

(comm) ::= 

I (var) := cons((exp), . . . , (exp)) allocation 

I (var) := [(exp)] lookup 

I [(exp)] := (exp) mutation 

I dispose (exp) deallocation 

Semantically, we extend computational states to contain 
two components: a store (or stack), mapping variables into 
values (as in the semantics of the unextended simple imper- 
ative language), and a heap, mapping addresses into values 
(and representing the mutable structures). 

In the early versions of separation logic, integers, atoms, 
and addresses were regarded as distinct kinds of value, 
and heaps were mappings from finite sets of addresses to 
nonempty tuples of values: 

Values = Integers U Atoms U Addresses 

where Integers, Atoms, and Addresses are disjoint 

Heaps = [J fi„ (A — > Values + ) . 

A C Addresses 

To permit unrestricted address arithmetic, however, in 
the version of the logic used in most of this paper we will 
assume that all values are integers, an infinite number of 
which are addresses; we also assume that atoms are inte- 
gers that are not addresses, and that heaps map addresses 



into single values: 

Values — Integers 
Atoms U Addresses C Integers 

where Atoms and Addresses are disjoint 
Heaps = (J fi„ (A — ^ Values) . 

A C Addresses 

(To permit unlimited allocation of records of arbitrary size, 
we require that, for all n > 0, the set of addresses must con- 
tain infinitely many consecutive sequences of length n. For 
instance, this will occur if only a finite number of positive 
integers are not addresses.) In both versions of the logic, we 
assume 

nil e Atoms 
Storesy = V — > Values 

Statesy = Storesy x Heaps, 

where V is a finite set of variables. 

Our intent is to capture the low-level character of ma- 
chine language. One can think of the store as describing the 
contents of registers, and the heap as describing the con- 
tents of an addressable memory. This view is enhanced by 
assuming that each address is equipped with an "activity 
bit"; then the domain of the heap is the finite set of active 
addresses. 

The semantics of ordinary and boolean expressions is the 
same as in the simple imperative language: 

[e e (exp)J e (|J H „ Storesy) — >• Values 

P VDFV(e) 

lb e (boolexp)] bcxp e 

(U fin Storesy) — > {true, false} 

VDFV(6) 

(where FV(p) is the set of variables occurring free in the 
phrase p). In particular, expressions do not depend upon the 
heap, so that they are always well-defined and never cause 
side-effects. 

Thus expressions do not contain notations, such as cons 
or [— ], that refer to the heap. It follows that none of the new 
heap-manipulating commands are instances of the simple 
assignment command (var) := (exp) (even though we write 
them with the familiar operator :=). In fact, they will not 
obey Hoare's inference rule for assignment. However, since 
they alter the store at the variable v, we will say that the 
commands v := cons(- • •) and v := [e], as well as v := e 
(but not [v] := e or dispose v) modify v. 

A simple way to define the meaning of the new com- 
mands is by small-step operational semantics, i.e., by defin- 
ing a transition relation ~» between configurations, which 
are either 

• nonterminal: A command-state pair (c, (s, h)), where 
FV(c)Cdoms. 



• terminal: A state (s, h) or abort. 

We write 7 ^* 7' to indicate that there is a finite sequence 
of transitions from 7 to 7', and 7 f to indicate that there is 
an infinite sequence of transitions beginning with 7. 

In this semantics, the heap-manipulating commands are 
specified by the following inference rules: 

• Allocation 



(v :=cons(ei, . . .,e„), (s,h)) 

~> ([a I v:£], [h | t: [ ei ] expS | . . . | t+n-1: [e„] exp s]), 
where £,...,£+ n — 1 e Addresses — dom h. 

• Lookup 

When [e] s e dom/i: 



(v:=[e},(s,h))^([s\v:h(le} exp s)],h), 
When [ej s $ dom/i: 



(v := [e], (s, h)) ~» abort. 

• Mutation 

When [e] s e dom/i: 



([e] :=e',( S ,h))^(s,[h\lej cxpS :le% xpS }), 
When [e] s <t dom/i: 



([e] := e', (s, h)) ~» abort. 

• Deallocation 

When [e] s e dom/i: 



(dispose e, (s, h)) ~> (s, h] (dom h - {[e] exp s})) ; 
When [e] s $ dom/i: 



(dispose e, (s, h)) ~» abort. 

(Here [/ | x:a] denotes the function that maps x into a 
and all other arguments y in the domain of / into / y. The 
notation /] S denotes the restriction of the function / to the 
domain S.) 

The allocation operation activates and initializes n cells 
in the heap. Notice that, aside from the requirement that 
the addresses of these cells be consecutive and previously 
inactive, the choice of addresses is indeterminate. 

The remaining operations all cause memory faults (de- 
noted by the terminal configuration abort) if an inactive 
address is dereferenced or deallocated. 



An important property of this language is the effect of 
restricting the heap on the execution of a command. Essen- 
tially, if the restriction removes an address that is derefer- 
enced or deallocated by the command, then the restricted 
execution aborts; otherwise, however, the executions are 
similar, except for the presence of unchanging extra heap 
cells in the unrestricted execution. 

To state this property precisely, we write h 0 _L hi to 
indicate that the heaps h 0 and hi have disjoint domains, 
and h 0 ■ hi to indicate the union of such heaps. Then, when 
ho C h, 

• If (c, (s, h)) abort, then (c, (s, ho)) abort. 

• If (c, (s, h)) ^* (s', h') then (c, (s, h 0 )) ^* abort 
or (c, (s, h 0 )} ^* (s', h' 0 ), where h' 0 _L hi and h' = 
h' 0 ■ hi. 

• If (c,(s,h)} t then either (c, (s, ho)) ^* abort or 
(c, (s,M) T- 

3. Assertions and their Inference Rules 

In addition to the usual formulae of predicate calculus, 
including boolean expressions and quantifiers, we introduce 
four new forms of assertion that describe the heap: 



(assert) ::= 
| emp 

| (exp) i ^ (exp) 
| (assert) * (assert) 
| (assert) — * (assert) 



empty heap 
singleton heap 
separating conjunction 
separating implication 



Because of these new forms, the meaning of an assertion 
(unlike that of a boolean expression) depends upon both the 
store and the heap: 

b e (assert)] asrt e 



(U fin Storesy) 

VDFV(p) 



Heaps — > {true, false}. 



Specifically, emp asserts that the heap is empty: 

I em PLsrt s/l iff domh = 0> 

e e' asserts that the heap contains one cell, at address e 
with contents e': 

b^efj^ah iff 

dom ft = {[e] exp 4 and /i([e] expS ) = [e'] expS , 

p 0 * Pi asserts that the heap can be split into two disjoint 
parts in which p 0 and pi hold respectively: 

bo * Pii asrt sh iff 

3ho, hi. h 0 -L hi and h 0 • hi = h and 

[Po] asrt ^o and|bi] asrt s/ii, 



and — * Pi asserts that, if the current heap is extended 
with a disjoint part in which p 0 holds, then pi will hold in 
the extended heap: 

IPO -*Pllasrt s/l ^f 

V/i'. (/i' _L h and bol asrt s implies 

lPlksrtHh-h'). 

When this semantics is coupled with the usual interpretation 
of the classical connectives, the result is an instance of the 
"resource semantics" of bunched implications as advanced 
by David Pym [23,26]. 

It is useful to introduce several more complex forms as 
abbreviations: 



dof 



3x'. 



where x' not free in e 



2 = e e * true 



def 

= e^ei * 



ei,...,e 

dof 



* e|n-lHe„ 



e^ei * ••• * e + n — l^e„ 
iff e i— > ei , . . . , e„ * true. 

By using i— >, and the two forms of conjunction, it is 
easy to describe simple sharing patterns concisely: 

1. x i J - 3, y asserts that x points to an adjacent pair of 
cells containing 3 and y (i.e., the store maps x and y 
into some values a and (3, a is a address, and the heap 
maps a into 3 and a + 1 into (J): 



2. y h 3,x asserts that y points to an adjacent pair of 
cells containing 3 and x: 



y— 3 



3. x^3,y * y^3,x asserts that situations (1) and (2) 
hold for separate parts of the heap: 



3 v 3 ^ y 



4. xi-^3,yAyi-^3,x asserts that situations (1) and (2) 
hold for the same heap, which can only happen if the 
values of x and y are the same: 



5. x^3,yAy^3,x asserts that either (3) or (4) may 
hold, and that the heap may contain additional cells. 

There are also simple examples that reveal the occasionally 
surprising behavior of separating conjunction. Suppose sx 
and s y are distinct addresses, so that 

h 1 = {{sx,l)} and ft 2 = {(sy,2)} 

are heaps with disjoint singleton domains. Then 



If p is: 



then I 



,s ft is: 



(x 



1 
2 

1 ^ y i — ► 2 
1 * XM 1 
1 V y i ^ 2 
1 * (x h 1 V y 

-> 1 V y 2) 

* (x n 1 V y h 

— > 1 * y i — ► 2 

* (x n 1 V y h 

■> 1 * true 

» 1 * 1 X I ► 1 



2) 



2) 
2) 



ft = fti 
h=h 2 
ft = h\ ■ h 2 
false 

h = hi or h = h 2 
h = hi ■ /12 

ft = fti • ft 2 

false 

fti C ft 
hi C ft. 



To illustrate separating implication, suppose that an as- 
sertion p holds for a store that maps the variable x into an 
address a and a heap ft that maps a into 16. Then 

(x i ► 16) — * p 

holds for the same store and the heap ft](domft - {a}) 
obtained by removing a from the domain of ft, and 

x i ► 9 * ((xh 16) — * p) 

holds for the same store and the heap [ ft | a: 9 ] that differs 
from ft by mapping a into 9. (Thus, anticipating the concept 
of partial-correctness specification introduced in the next 
section, {xn9 * ((x i— > 16) — * p)} [x] := 16 {p}.) 

The inference rules for predicate calculus remain sound 
in this enriched setting. Before presenting sound rules for 
the new forms of assertions, however, we note two rules that 
fail. Taking p to be x 1 and q to be y 2, one can see 



that neither contraction, p =>■ p * p, nor weakening, p * 
q => p, are sound. Thus separation logic is a substructural 
logic. (It is not, however, a species of linear logic, since in 
linear logic P^Q can be written (IP) —* Q, so the rule of 
dereliction gives the validity of (P —* Q) =>■ (P => Q). But 
in a state where x 1 is true, (x h 1) -* false is true but 
(x h» 1) false is false [19].) 

Sound axiom schemata for separating conjunction in- 
clude commutative and associative laws, the fact that emp 
is a neutral element, and various distributive and semidis- 
tributive laws: 

Pi * P2 P2 * Pi 

(pi * p 2 ) * pz <^pi * (p 2 * Pz) 

p * emp p 

(pi Vp 2 ) * 9« (pi * q) V (p 2 * q) 

(Pi Ap 2 ) * q => (pi * q) A (p2 * q) 

(3x. p) * q 3x. (p * q) when x not free in q 

(Vx. p) * q => Vx. (p * q) when x not free in q. 

There is also an inference rule showing that separating con- 
junction is monotone with respect to implication: 



Pi =>P2 



qi => ?2 



pi * qi =>p 2 * q2, 



and two further rules capturing the adjunctive relationship 
between separating conjunction and separating implication: 

Pi * P2 => P3 Pi (P2 -* P3) 



Pi (P2 -* P3) Pi * P2 P3- 

There are several semantically defined classes of asser- 
tions that have useful special properties, and contain an eas- 
ily defined syntactic subclass. 

An assertion is said to be pure if, for any store, it is in- 
dependent of the heap. Syntactically, an assertion is pure if 
it does not contain emp, 1— >, or <—*. The following axiom 
schemata show that, when assertions are pure, the distinc- 
tion between the two kinds of conjunctions, or of implica- 
tions, collapses: 



Pi A P2 Pi * P2 

Pi * P2 Pi A p 2 

(p A q) * r p A (q * r) 

(Pi -* P2) (Pi => P2) 

(Pi => P2) (Pi -* P2) 



when pi or p 2 is pure 
when pi and p 2 are pure 
when p is pure 
when pi is pure 
when pi and p 2 are pure. 



We say that an assertion p is intuitionistic iff, for all 
stores s and heaps ft and ft': 



ft C ft' and 



t (s, ft) implies 



t ( S ,ft'). 



One can show that p * true is the strongest intuitionistic 
assertion weaker than p, and that true — * p is the weakest 
intuitionistic assertion stronger than p. Syntactically, If p 
and q are intuitionistic assertions, r is any assertion, and e 
and e' are expressions, then the following are intuitionistic 
assertions: 

Any pure assertion e e' 

r * true true * r 

p f\q pV(| 
Vu. p 3u. p 

p * q p —* q. 

For intuitionistic assertions, we have 

(p * true) => p when p is intuitionistic 

p => (true — * p) whenp is intuitionistic. 

It should also be noted that, if we define the operations 



-ip d = true — * (-1 p) 

def 



p =>■ q — true — * (p =>■ q) 
p ^> q d = true — * (p ^ q), 

then the assertions built from pure assertions and e <^-» e', 
using these operations and A, V, V, 3, * , and -* form the 
image of Ishtiaq and O'Hearn's modal translation from in- 
tuitionistic separation logic to the classical version [19]. 

Yang [33, 34] has singled out the class of strictly exact 
assertions; an assertion q is strictly exact iff, for all s, h, and 



h', 



t sh and 



t sh' implies h = h' . Syntactically, 



assertions built from expressions using h 
exact. The utility of this concept is that 



and * are strictly 



(q * true) Ap=> q * (q —* p) when q is strictly exact. 

Strictly exact assertions also belong to the broader class 
of domain-exact assertions; an assertion q is domain-exact 
iff, for all s, h, and h', [g] asrt s/i and M asrt s/i' implies 
dom/i = dom/i'. Syntactically, assertions built from ex- 
pressions using i— >, * , and quantifiers are domain-exact. 
When q is such an assertion, the semidistributive laws given 
earlier become full distributive laws: 

(pi * q) A (p2 * q) (pi Ap 2 ) * q 

when q is domain-exact 

\fx. (p * g) => (Vx. p) * q 

when a; not free in g and g is domain-exact. 

Finally, we give axiom schemata for the predicate i— >. 



(Regrettably, these are far from complete.) 

ei i ^ e[ A e 2 i — > e 2 •w- e.\ i — > A ei = e 2 A = e 2 



d ^ ei * e 2 



2 ei ^ e 2 
emp 4=> Vx. -i(a; 1 



-)• 



Both the assertion language developed in this section and 
the programming language developed in the previous sec- 
tion are limited by the fact that all variables range over the 
integers. Later in this paper we will go beyond this limi- 
tation in ways that are sufficiently obvious that we will not 
formalize their semantics, e.g., we will use variables denot- 
ing abstract data types, predicates, and assertions in the as- 
sertion language, and variables denoting procedures in the 
programming language. (We will not, however, consider 
assignment to such variables.) 

4. Specifications and their Inference Rules 

We use a notion of program specification that is similar 
to that of Hoare logic, with variants for both partial and total 
correctness: 

(spec) ::= {(assert)} (comm) {(assert)} partial 
[ (assert) ] (comm) [ (assert) ] total 

Let V = FV(p) U FV(c) U FV(g). Then 

{p} c {q} holds iff V(s, h) e Statesy. |p] asrt s/i implies 
-i (c, (s, h) abort) 
and (V(s',h') e Statesy. 

c, (s, h) ^* (s', h') implies [<?] asrt s' h'), 

and 

[p ] c [ q ] holds iff V(s, h) e Statesy. [p] asrt s h implies 
-i (c, (s, h) abort) 
and -i (c, (s, h) f) 
and (V(s',/i') e Statesy. 

c, (s,h)^* (s>,h>) implies lq} aslt s' h'). 

Notice that specifications are implicitly quantified over both 
stores and heaps, and also (since allocation is indetermi- 
nate) over all possible executions. Moreover, any execution 
giving a memory fault falsifies both partial and total speci- 
fications. 

As O'Hearn [19] paraphrased Milner, "Well-specified 
programs don't go wrong." As a consequence, during the 
execution of programs that have been proved to meet their 
specifications, it is unnecessary to check for memory faults, 
or even to equip heap cells with activity bits (assuming that 



programs are only executed in initial states satisfying the 
relevant precondition). 

Roughly speaking, the fact that specifications preclude 
memory faults acts in concert with the indeterminacy of al- 
location to prohibit violations of record boundaries. But 
sometimes the notion of record boundaries dissolves, as in 
the following valid specification of a program that tries to 
form a two-field record by gluing together two one-field 
records: 

{x — * yH -} 

if y = x + 1 then skip else 

if x = y + 1 then x := y else 

(dispose x ; dispose y ; x := cons(l, 2)) 

{x •-►-,-}. 

In our new setting, the command-specific inference rules 
of Hoare logic remain sound, as do such structural rules as 

• Consequence 

p'^P {P}c{q} q^q' 
{/''!'•{</!'• 

• Auxiliary Variable Elimination 

M c {q} _ 
{3v. p} c{3v. q}, 

where v is not free in c. 

• Substitution 

M c {q} 

(M c U})/vi -> ei, . . . , v n -> e n , 

where vi , . . . , v n are the variables occurring free in p, 
c, or q, and, if Vi is modified by c, then is a variable 
that does not occur free in any other ej . 

(All of the inference rules presented in this section are the 
same for partial and total correctness.) 

An exception is what is sometimes called the "rule of 
constancy" [27, Section 3.3.5; 28, Section 3.5]: 

M c {q} 
{p f\r} c {q /\ r}, 

where no variable occurring free in r is modified by c. It 
has long been understood that this rule is vital for scalabil- 
ity, since it permits one to extend a "local" specification of 
c, involving only the variables actually used by that com- 
mand, by adding arbitrary predicates about variables that 
are not modified by c and will therefore be preserved by its 
execution. 



Unfortunately, however, the rule of constancy is not 
sound for separation logic. For example, the conclusion of 
the instance 

{x i ► -} [x] :=4{xn 4} 
{x^-Ay^3}[x]:=4{x^4Ayn3} 

is not valid, since its precondition does not preclude the 
aliasing that will occur if x = y. 

O'Hearn realized, however, that the ability to extend lo- 
cal specifications can be regained at a deeper level by using 
separating conjunction. In place of the rule of constancy, he 
proposed the frame rule: 

• Frame Rule 

M c {q} 
{p * r} c {q * r}, 
where no variable occurring free in r is modified by c. 

By using the frame rule, one can extend a local specifica- 
tion, involving only the variables and parts of the heap that 
are actually used by c (which O'Hearn calls the footprint of 
c), by adding arbitrary predicates about variables and parts 
of the heap that are not modified or mutated by c. Thus, the 
frame rule is the key to "local reasoning" about the heap: 

To understand how a program works, it should 
be possible for reasoning and specification to be 
confined to the cells that the program actually ac- 
cesses. The value of any other cell will automati- 
cally remain unchanged [24] . 

Every valid specification {p} c {q} is "tight" in the sense 
that every cell in its footprint must either be allocated by 
c or asserted to be active by p; "locality" is the opposite 
property that everything asserted to be active belongs to the 
footprint. The role of the frame rule is to infer from a local 
specification of a command the more global specification 
appropriate to the larger footprint of an enclosing command. 

To see the soundness of the frame rule [35, 34], assume 
{p} c {q}> an d [p * r ]asrt s ^- Then there are ho and hi 
such that ho -L hi, h = ho ■ hi, [p]s h 0 and [rjs hi. 

• Suppose (c, (s, h)) abort. Then, by by the prop- 
erty described at the end of Section 2, we would have 
(c, (s, ho)) ^* abort, which contradicts {p} c {q} 
and lpjsh 0 . 

• Suppose (c, (s, h)) (s',h'). As in the previ- 
ous case, (c,(s,h 0 )) ^* abort would contradict 
{p} c {q} and [p]s/io, so that, by the property at 
the end of Section 2, (c, (s, ho)) ^* (s 1 , h' 0 ), where 
h'o -L hi and h! = h' 0 - hi. Then {p} c {q} and [pjs h 0 
implies that [qjs'/ig. Moreover, since (c,(s,h)) ^* 
(s', h'), the stores s and s' will give the same value 



to the variables that are not modified by c. Then, since 
these include all the free variables of r, [r]s hi implies 
that Irjs'hx. Thus [g * r\s'ti. 

Yang [35, 34] has also shown that the frame rule is com- 
plete in the following sense: Suppose that all we know 
about a command c is that some partial correctness speci- 
fication {p} c {q} is valid. Then, whenever the validity of 
{p'} c W} is a semantic consequence of this knowledge, 
{p'} c {<?'} can be derived from {p} c {q} by use of the 
frame rule and the rules of consequence, auxiliary variable 
elimination, and substitution. 

Using the frame rule, one can move from local versions 
of inference rules for the primitive heap-manipulating com- 
mands to equivalent global versions. For mutation, for ex- 
ample, the obvious local rule 

• Mutation (local) 



{e i ► — } [e] := e' {e e'} 

leads directly to 

• Mutation (global) 



{(e i ► ) * r} [e] := e' {(e e') * r}. 

(One can rederive the local rule from the global one by tak- 
ing r to be emp.) Moreover, by taking r in the global 
rule to be (e e') -* j) and using the valid implication 
q * (q —* p) =>• p, one can derive a third rule for mutation 
that is suitable for backward reasoning [19], since one can 
substitute any assertion for the postcondition p: 

• Mutation (backwards reasoning) 



{(e i— > — ) * ((e i ► e') — * p)} [e] := e' {p}. 

(One can rederive the global rule from the backward one by 
taking p to be (e e') * r and using the valid implication 
(p * r) => (p * (q —* (q * r))).) 

A similar development works for deallocation, except 
that the global form is itself suitable for backward reason- 
ing: 

• Deallocation (local) 



{e i ► — } dispose e {emp}. 
• Deallocation (global, backwards reasoning) 



{(e !—»•—) * r} dispose e {r}. 

In the same way, one can give equivalent local and global 
rules for "noninterfering" allocation commands that modify 
"fresh" variables. Here we abbreviate ei , . . . , e„ by e. 



• Allocation (noninterfering, local) 



{emp} v : — cons(e) {v e}, 
where v is not free in e. 
• Allocation (noninterfering, global) 



{r} v := cons(e) {(v e) * r}, 
where v is not free in e or r. 

However, to avoid the restrictions on occurrences of the 
assigned variable, or to give a backward-reasoning rule, 
or rules for lookup, we must introduce and often quantify 
additional variables. For both allocation and lookup, we 
can give equivalent rules of the three kinds, but the rele- 
vant derivations are more complicated than before since one 
must use auxiliary variable elimination, properties of quan- 
tifiers, and other laws. 

In these rules we indicate substitution by priming meta- 
variables denoting expressions and assertions, e.g., we write 
e! i for ei/v —> v' and r' for r/v —> v' . We also abbreviate 
ei , . . . , e n by e and e[ , . . . , e' n by e! . 

• Allocation (local) 



{v = v' A emp} v := cons(e) {v e'}, 
where v' is distinct from v. 
• Allocation (global) 



{r} v := cons(e) {3v' . (v e') * r'}, 
where v' is distinct from v, and is not free in e or r. 
• Allocation (backwards reasoning) 



{W. (v' i ► e) — * p'} v := cons(e) {p}, 
where v' is distinct from v, and is not free in e or p. 
• Lookup (local) 



{d = »' A (e h v")} v := [e] {v = v" A (e' ^ v")}, 
where v, v', and v" are distinct. 
• Lookup (global) 

{3v". (e i > v") * (r/v' -» v)} v := [e] 

{3v'. (e' v) * (r/v" — > w)}, 

where v, v' , and v" are distinct, v' and v" do not occur 
free in e, and v is not free in r. 



Lookup (backwards reasoning) 



e for the empty sequence. 



{3v'. (e i ► v') * ((e v') —* p')} v := [e] {p}, 

where v' is not free in e, nor free in p unless it is v. 

Finally, since e i— > v' is strictly exact, it is easy to obtain an 
equivalent but more succinct rule for backward reasoning 
about lookup: 

• Lookup (alternative backward reasoning) 



{3v'. (e ^ v') hp'} v := [e] {p}, 

where v' is not free in e, nor free in p unless it is v. 

For all four new commands, the backward reasoning forms 
give complete weakest preconditions [19, 34]. 

As a simple illustration, the following is a detailed proof 
outline of a local specification of a command that uses allo- 
cation and mutation to construct a two-element cyclic struc- 
ture containing relative addresses: 

{emp} 

x := cons(a, a) ; 

{x i ► a, a} 

y := cons(b, b) ; 

{(x^ a ,a) * (y^b,b)} 

{(x h-> a,-) * (y^ b, -)} 

[x+l]:=y-x; 

{(x a,y -x) * (y^b, -)} 

[y + 1] :=x-y; 

{(xh->a,y-x) * (y h-> b,x-y)} 
{3o. (x a, o) * (x+onb, — o)}. 

5. Lists 

To specify a program adequately, it is usually necessary 
to describe more than the form of its structures or the shar- 
ing patterns between them; one must relate the states of the 
program to the abstract values that they denote. To do so, it 
is necessary to define the set of abstract values algebraically 
or recursively, and to define predicates on the abstract val- 
ues by structural induction. Since these are standard meth- 
ods of definition, we will treat them less formally than the 
novel aspects of our logic. 

For lists, the relevant abstract values are sequences, for 
which we use the following notation: When a and (3 are 
sequences, we write 



• [x] for the single-element sequence containing x. (We 
will omit the brackets when x is not a sequence.) 

• a- (3 for the composition of a followed by (3. 

• for the reflection of a. 

• #a for the length of a. 

• a t for the ith component of a. 

The simplest list structure for representing sequences is 
the singly-linked list. To describe this representation, we 
write list a (i, j) when there is a list segment from i to j rep- 
resenting the sequence a: 



a i 



a 2 



J 



It is straightforward to define this predicate by induction on 
the structure of a: 

list e (i, j) = f emp A i = j 
list a-a (i, k) = 3j. i i— > a, j * list a (j, k), 
and to prove some basic properties: 
list a (i, j) i a, j 
list o;-/3 (i, k) 3j. list a (i,j) * list /5 (j, k) 
list a-b (i, k) ^ 3j. list a (i, j) * j ^ b, k. 

(The second property is a composition law that can be 
proved by structural induction on a.) 

In comparison with the definition of list in the intro- 
duction, we have generalized from lists to list segments, 
and we have used separating conjunction to prohibit cycles 

within the list segment. More precisely, when list ct\ 

ot n (i 0 , we have 



3ii, . . . \ n -\- 
(i 0 i-> «i, ii) * (ii 



«2, h) 



(in- 



&n , in) ■ 



Thus io, in-i are distinct, but i„ is not constrained, so 

that list ai a„ (i, i) may hold for any n > 0. 

Thus the obvious properties 

list a (i,j) =>■ (i = nil (a = e A j = nil)) 

lista(i,j)=^(i^j=^a^e) 

do not say whether a is empty when i = j ^ nil. How- 
ever, there are some common situations that insure that a is 
empty when i = j ^ nil, for example, when j refers to a 
heap cell separate from the list segment, or to the beginning 
of a separate list: 



list a (i, j) * j <— >• - =>■ (i = j <=> a = e) 
lista(ij) * list /? (j, nil) =>• (i = j a = e). 

On the other hand, sometimes i = j simply does not de- 
termine emptiness. For example, a cyclic buffer containing 
a in its active segment and [3 in its inactive segment is de- 
scribed by list a (i, j) * list (3 (j, i). Here, the buffer may be 
either empty or full when i = j. 

The use of list is illustrated by a proof outline for a com- 
mand that deletes the first element of a list: 

{lista-a(i,k)} 

{3j. i i — »- a, j * list a (j, k)} 

{i n a * □ j . i + 1 i — > j * list a (j, k)} 

j:=[i + i]; 

{i n a * i + li-^j * list a (j, k)} 
dispose i ; 

{i + 1 j * list a (j, k)} 
dispose i + 1 ; 

{lista(j,k)} 
i ==j 

{lista(i,k)} 

A more complex example is the body of the while command 
in the list-reversing program in the Introduction; here the 
final assertion is the invariant of the while command: 

{3a, (3. (list a (i, nil) * list (3 (j, nil)) 

AaJ = a f -/?Ai ^ nil} 
{3a, a, (3. (list a-a (i, nil) * list (3 (j, nil)) 

AaJ = (a-a)t./?} 
{3a, a, (3, k. (i a, k * list a (k, nil) * list (3 (j, nil)) 

AaJ = (a-a)t./?} 
k:=[i + l]; 

{3a, a, /?. (i i — ► a, k * list a (k, nil) * list (3 (j, nil)) 

AaJ = (a-a)t./?} 

[i + i]:=j; 

{3a, a, (3. (i i— > a,j * list a (k, nil) * list [3 (j, nil)) 

A aj = (a-a) f -/3} 
{3a, a, 13. (list a (k, nil) * list a-/? (i, nil)) 

A a\ = a* -a-/3} 
{3a, 13. (list a (k, nil) * list (3 (i, nil)) A a\ = a 1 '-/?} 
j:=i;i:=k 

{3a, (3. (list a (i, nil) * list (3 (j, nil)) A aj = a 1 -/?}. 



A more elaborate representation of sequences is 
provided by doubly-linked lists. Here, we write 
dlist a (i, i'JJ') when a is represented by a doubly-linked 
list segment with a forward linkage (via second fields) from 
i to j, and a backward linkage (via third fields) from j' to i': 




The inductive definition is 

dlist e(i,i',j,j') d = empAi=jAi'=j' 
dlist a-a (i, i', k, k') =' 3j. i a, j, i' * dlist a (j, i, k, k'), 

from which one can prove the basic properties: 

dlista(i,i',j,j')^i^a,j,i'Ai=j' 

dlist a-/3(i,i',k,k') & 

3j,j'. dlist a (i, i'JJ') * dlist /3(j,j',k,k') 

dlist a-b(i,i',k,k') <s> 

3j'. dlista(i,i',k'J') * k' ^ b, k,j'. 

The utility of unrestricted address arithmetic is illus- 
trated by a variation of the doubly-linked list, in which the 
second and third fields of each record are replaced by a sin- 
gle field giving the exclusive or of their contents. If we 
write xlist a (i, i'JJ') when a is represented by such an xor- 
linked list: 




we can define this predicate by 

xlist e (i, i'JJ') = f emp A i = j A i' = j' 

xlist a-a (i, i', k, k') = f 

3j. i a, (j ffi i') * xlist a (j, i, k, k'). 

The basic properties are analogous to those for dlist [24]. 

Finally, we mention an idea of Richard Bornat's [1], that 
instead of denoting a sequence of data items, a list (or other 
structure) should denote the sequence (or other collection) 
of addresses at which the data items are stored. In the case 
of simply linked lists, we write listN a (i J) when there is 



a list segment from i to j containing the sequence a of ad- 
dresses: 

01 02 0 n 




This view leads to the definition 

listN e (i, j) = f emp A i = j 
listN l-<T (i, k) A = I = i A 3j. i + 1 i — > j * listN a (j, k). 

Notice that listN is extremely local: It holds for a heap con- 
taining only the second cell of each record in the list struc- 
ture. 

The reader may verify that the body of the list-reversing 
program preserves the invariant 

3er, 5. (listN cr (i, nil) * listN 5 (j, nil)) A <Tq = a^-S, 

where <jq is the original sequence of addresses of the data 
fields of the list at i. In fact, since it shows that these ad- 
dresses do not change, this invariant embodies a stronger 
notion of "in-place algorithm" than that given before. 

6. Trees and Dags 

When we move from list to tree structures, the possible 
patterns of sharing within the structures become richer. 

In this section, we will focus on a particular kind of ab- 
stract value called an "S-expression" in the LISP commu- 
nity. The set S-exps of these values is the least set such that 

t e S-exps iff 

t e Atoms 
or r = (n • t 2 ) where n, t 2 e S-exps. 

(Of course, this is just a particular, and very simple, initial 
algebra. We could take carriers of any anarchic many-sorted 
initial algebra to be our abstract data, but this would com- 
plicate our exposition while adding little of interest.) 

For clarity, it is vital to maintain the distinction between 
abstract values and their representations. Thus, we will call 
abstract values "S-expressions", while calling representa- 
tions without sharing "trees", and representations with shar- 
ing but no loops "dags" (for directed acyclic graphs). 

We write tree r (i) (or dag r (i)) to indicate that i is the 
root of a tree (or dag) representing the S-expression r. Both 
predicates are defined by induction on the structure of r: 



tree a (i) iff emp A i = a 

tree (n • t 2 ) (i) iff 

3«i,i 2 - * i — >• ii, *2 * treeri(ii) * treer 2 (i 2 ) 

dag a (i) iff i = a 

dag(ri -t 2 ) (i) iff 

3ii,i 2 - i^h,i2 * (dagn (ii) Adagr 2 (i 2 )). 

Here, since emp is omitted from its definition, dag a (i) is 
pure, and therefore intuitionistic. By induction, it is easily 
seen that dag ri is intuitionistic for all r. In fact, this is 
vital, since we want dag n (ii) A dag r 2 (i 2 ) to hold for a 
heap that contains the (possibly overlapping) sub-dags, but 
not to assert that the sub-dags are identical. 

To express simple algorithms for manipulating trees, we 
must introduce recursive procedures. However, to avoid 
problems of aliased variables and interfering procedures, 
we will limit ourselves to first-order procedures without 
global variables (except, in the case of recursion, the name 
of procedure being defined), and we will explicitly indi- 
cate which formal parameters are modified by the procedure 
body. Thus a procedure definition will have the form 

h(xi, ■•■,x m ;yi,---,y n )=c, 

where y\ , ■ ■ ■ , y n are the free variables modified by c, and 
xi, ■ ■ ■ , x m are the other free variables of c, except h. 

We will not declare procedures at the beginning of 
blocks, but will simply assume that a program is reasoned 
about in the presence of procedure definitions. In this set- 
ting, an appropriate inference rule for partial correctness is 

• Procedures 

When h(x 1 ,---,x m ;y 1 , ■ ■ ■ ,y n ) = C 

M h(xi,---,x m ;yi,---,y n ) {q} 

M c {q} 

M h(x 1 ,---,x m ;yi,---,y n ) {q}. 

In essence, to prove some specification of a call of a pro- 
cedure in which the actual parameters are the same as the 
formal parameters in the procedure definition, one proves a 
similar specification of the body of the definition under the 
recursion hypothesis that recursive calls satisfy the specifi- 
cation being proved. 

Of course, one must be able to deduce specifications 
about calls in which the actual parameters differ from the 
formals. For this purpose, however, the structural inference 
rule for substitution suffices, if one takes the variables mod- 
ified by h(x 1 , ■ ■ ■,x m ;y 1 , ■ ■ -,y n ) to be y u ■ ■ ■ ,y n . Note 



that the restrictions on this rule prevent the creation of 
aliased variables or expressions. 

For example, we would expect a tree-copying procedure 

copytree(i;j) = 

if isatom(i) then j := i else 
newvar ii, i 2 ,ji,j 2 in 
(h :=[i];i 2 :=[!+!]; 
copytree(inji) ; copytree(i 2 ; j 2 ) ; 
j :=cons(ji,j 2 )) 

to satisfy 

{tree r(i)} copytree(i; j) {tree r(i) *treer(j)}. (5) 

The following is a proof outline of a similar specification of 
the procedure body: 

{tree r(i)} 

if isatom(i) then 

{isatom(r) A emp A i = r} 

{isatom(r) A ((emp A i = r) * (emp A i = r))} 

j :=i 

{isatom(r) A ((emp A i = r) * (emp A j = r))} 
else 

{3ti, t 2 . t = (n • t 2 ) A tree (n • r 2 )(i)} 
newvar ii, i 2 ,ji,j 2 in 

(ii :=[i];i 2 :=[i+l]; 

{3n,r 2 . r = (n • t 2 ) A (i i > ii , i 2 * 

treeri (ii) * tree r 2 (i 2 ))} 
copytree(iijji) ; 

{3ti,t 2 . r = (n • t 2 ) A (i i > ii , i 2 * 

treeri(ii) * treer 2 (i 2 ) * tree n (ji))} 

copytree(i 2 ;j 2 ) ; 

{3ti,t 2 . r = (n ■ t 2 ) A 

(i i — > ii , 12 * treeri (ii) * treer 2 (i 2 ) * 
treeri (ji) * tree r 2 (j 2 ))} 

j :=cons(ji,j 2 ) 

{3ri,r 2 . r = (n • r 2 ) A 

(i i ► ii, i 2 * tree n (ii) * tree r 2 (i 2 ) * 
}t-^h,h * treeriQi) * treer 2 (j 2 ))} 

{3ri,r 2 . r = (n • r 2 ) A 

(tree (r r r 2 ) (i) * tree (r r r 2 ) (j))}) 
{tree r(i) * tree r(j)}. 



To obtain the specifications of the recursive calls in this 
proof outline from the recursion hypothesis (5), one must 
use the frame rule to move from the footprint of the recur- 
sive call to the larger footprint of the procedure body. In 
more detail, the specification of the first recursive call in the 
outline can be obtained by the inferences 

{tree r(i)} copytree(i; j) {treer(i) * treer(j)} 
{tree n(ii)} copytree(ii;ji) {tree ri(ii) * treenQi)} 
{(r = (n • r 2 ) A i i > i i , i 2 ) * 

treeri 0i) * treer 2 (i 2 )} 
copytree(ii;ji) ; 
{(r = (n • r 2 ) A i i > ii, i 2 ) * 

treeri(ii) * treer 2 (i 2 ) * treeri (ji)} 
{r = (n • r 2 ) A (i i > ii , i 2 * 

tree n (ii) * tree r 2 (i 2 ))} 
copytree(ii;ji) ; 
{r = (n • r 2 ) A (i i > ii , i 2 * 

treeri(ii) * treer 2 (i 2 ) * treeri(ji))} 

{3ri,r 2 . r = (n • r 2 ) A (i i— > ii, i 2 * 

treeri (ii) * treer 2 (i 2 ))} 
copytree(ii;ji) ; 

{3ri,r 2 . r = (n • r 2 ) A (i i — > ii , 12 * 

treeri (ii) * treer 2 (i 2 ) * tree ri (ji))}, 

using the substitution rule, the frame rule, the rule of con- 
sequence (with the axiom that (p A q) * r O p A (5 * r) 
when p is pure), and auxiliary variable elimination. 

What we have proved about copytree, however, is not as 
general as possible. In fact, this procedure is insensitive to 
sharing in its input, so that it also satisfies 

{dagr(i)} copytree(i;j) {dagr(i) *treer(j)}. (6) 

But if we try to prove this specification by mimicking the 
previous proof, we encounter a problem: For (say) the first 
recursive call, at the point where we used the frame rule, we 
must infer 

{(•••) * (dagri(ii) Adagr 2 (i 2 ))} 
copytree(ii;ji) 

{(•••) * (dagn(ii) Adagr 2 (i 2 )) * treeriQi)}. 

Now, however, the presence of A instead of * prevents us 
from using the frame rule — and for good reason: The re- 
cursion hypothesis (6) is not strong enough to imply this 
specification of the recursive call, since it does not imply 
that copytree(ii; ji) leaves unchanged the portion of the 



heap shared by the dags representing n and t 2 . For ex- 
ample, suppose 



r 1 = ((3-4) -(5-6)) 



r 2 = (5-6). 



Then (6) would permit copytree(ii; ji) to change the state 
from 



into 




Ji— 



where dag r 2 (i 2 ) is false. 

One way of surmounting this problem is to extend asser- 
tions to contain assertion variables, and to extend the sub- 
stitution rule so that the w^'s include assertion variables as 
well as ordinary variables, with assertions being substituted 
for these assertion variables. 

Then we can use an assertion variable p to specify that 
every property of the heap that is active before executing 
copytree(i; j) remains true after execution: 

{p A dagr(i)} copytree(i;j) {p * treer(j)}. (7) 

We leave the proof outline to the reader, but show the infer- 
ence of the specification of the first recursive call from the 
recursion hypothesis, using the substitution rule and auxil- 
iary variable elimination: 

{p Adagr(i)} copytree(i; j) {p * treer(j)} 

{(t = (n • t 2 ) A p A dag r 2 (i 2 )) A dag n (ii)} 
copytree(ii;ji) ; 

{(t = (n • t 2 ) A p A dag r 2 (i 2 )) * tree n (ji)} 

{3ti, t 2 . (t = (n • t 2 ) A p A dag r 2 (i 2 )) A dag n (ii)} 
copytree(ii;ji) ; 

{3t!,t 2 . (t = (n • t 2 ) A p A dag r 2 (i 2 )) * tree n (ji)}. 

7. Arrays and Iterated Separating Conjunction 

It is straightforward to extend our programming lan- 
guage to include heap-allocated one-dimensional arrays, by 



introducing an allocation command where the number of 
consecutive heap cells to be allocated is specified by an 
operand. It is simplest to leave the initial values of these 
cells indeterminate. We will use the syntax 

(comm) ::=••• | (var) := allocate (exp) 

with the operational semantics 

(v := allocate e, (s, h)) ([ s \ v. £], h ■ h') 



where h ± h' and dom h' = {i\£<i<£ + 



Ucxp 



To describe such arrays, it is helpful to extend the con- 
cept of separating conjunction to a construct that iterates 
over a finite consecutive set of integers. We use the syntax 

(assert) ::=••• | 0<w>=(«p> ( assert > 
with the meaning 

io:' =e p] asrt (^) = 

let m = [e] cxp s, n = [e'] oxp s, 

/ = {i|m<i<n}in 
3H e I — > Heaps. 

Vi, j e I. i j implies Hi _L Hj 
<mdh={){Hi\ieI} 
andWe/. bLrtQ* \v:i],Hi). 
The following axiom schemata are useful: 

m > n (0" =m p(i) ^ emp) 

m = n^ (O2=mP(0 «pH) 
k < m < n + 1 =>■ 

(oiu^Mor, 1 ^) * or= m p«)) 

m <n => 

((0Lp(<))*«^OLW)m)) 

when q is pure 

m<j<n^ ((0" =m p(i)) (p(j) * true)). 

A simple example is the use of an array as a cyclic buffer. 
We assume that an n-element array has been allocated at 
address I, e.g., by I := allocate n, and we use the variables 

m number of active elements 
i address of first active element 
j address of first inactive element. 



Then when the buffer contains a sequence a, it should sat- 
isfy the assertion 

0 < m < n A I < i < l + n A I <j < l + n A 

j = i ffi m A m = #a A 

((O^o 1 i © k » a k+1 ) * (Q^r 1 j ffi k ~ -)), 

where x ffi y = x + y modulo n, and I < x ffi y < I + n. 

Somewhat surprisingly, iterated separating conjunction 
is useful for making assertions about structures that do not 
involve arrays. For example, the connection between our 
list and Bornat's listN is given by 

list a (i, j) 

3(7. #<j = #a A (listN a (i, j) * Q*=i ^ >-> a fc ). 

A more elaborate example is provided by a program that 
accepts a list i representing a sequence a of integers, and 
produces a list j of lists representing all (not necessarily con- 
tiguous) subsequences of a. This program is a variant of a 
venerable LISP example that has often been used to illus- 
trate the storage economy that can be obtained in LISP by 
a straightforward use of sharing. Our present interest is in 
using iterated separating conjunction to specify the sharing 
pattern in sufficient detail to show the amount of storage 
that is used. 

First, given a sequence a of sequences, we define ext a <r 
to be the sequence of sequences obtained by prefixing the 
integer a to each sequence in a: 



i \ acl 
(ext a cr)j = a-o-j. 

Then we define ss(a, a) to assert that a is a sequence of the 
subsequences of a (in the particular order that is produced 
by an iterative program): 

ss(e, a) = f a = [e] 

ss(a-a,er) = 3a'. ss(a, a 1 ) A a = (ext a er')^-er'. 

(To obtain the different order produced by a simple recur- 
sive program, we would remove the reflection (f ) operator 
here and later.) Next, we define Q(a, (3) to assert that (3 is 
a sequence of lists whose components represent the compo- 
nents of a: 

Q(a, [3) = #=#<7A V?iO'St a; (fl.nil) * true). 

At this stage, we can specify the abstract behavior of the 
subsequence program subseq by 

{list a (i, nil)} 
subseq 

{3a,/?. ss(at,a)A(list/3(j,nil) * (Q(a, /?)))}. 



To capture the sharing structure, however, we use iterated 
separating conjunction to define R{f3) to assert that the last 
element of (3 is the empty list, while every previous element 
consists of a single integer cons'ed onto some later element 

of/3: 

R((3) d ^ f (/3 #0 = nilAemp) * 

0^- 1 (3a,k. i<k<#/3AA^a,/3 k ). 

Here the heap described by each component of the iteration 
contains a single cons-pair, so that the heap described by 
R((3) contains #/3 — 1 cons-pairs. Finally, the full specifi- 
cation of c is 

{list a (i, nil)} 
subseq 

{3a, (3. ss(a\ a) A (list (3 (j, nil) * (Q(a, (3) A R(f3)))}- 

Here the heap described by list (3 (j, nil) contains #/3 cons- 
pairs, so that the entire heap described by the postcondition 
contains (2 x #/?) - 1 = (2 x 2# a ) - 1 cons-pairs. 

8. Proving the Schorr- Waite Algorithm 

The most ambitious application of separation logic has 
been Yang's proof of the Schorr- Waite algorithm for mark- 
ing structures that contain sharing and cycles [33, 34]. This 
proof uses the older form of classical separation logic [19] 
in which address arithmetic is forbidden and the heap maps 
addresses into multifield records — each containing, in this 
case, two address fields and two boolean fields. 

Several significant features of the proof are evident from 
its main invariant: 

noDanglingR A noDangling(t) A noDangling(p) A 
(listMarkedNodesR(stack, p) * 

(restoredl_istR(stack, t) -* spansR(STree, root))) A 
(markedR * (unmarkedR A (Vx. allocated(x) 

(reach(t,x) V reachRightChildlnList(stack,x))))). 

The heap described by this invariant is the footprint of the 
entire algorithm, which is exactly the structure that is reach- 
able from the address root. Since addresses now refer to en- 
tire records, it is easy to assert that the record at x has been 
allocated: 

allocated(x) = x <—> — , — , — , — , 
that all active records are marked: 

markedR = f Vx. allocated(x) =>• x — , — , — , true, 



that x is not a dangling address: 

noDangling(x) = (x = nil) V allocated(x), 
or that no active record contains a dangling address: 



noDanglingR 



dof 



Vx,l,r. (x I, r, -, -) 

noDangling(l) A noDangling(r). 



(Yang uses the helpful convention that the predicates with 
names ending in "R" are those that are not intuitionistic.) 

In the second line of the invariant, the subassertion 
listMarkedNodesR(stack, p) holds for a part of the heap 
called the spine, which is a linked list of records from 
root to the current address t in which the links have 
been reversed; the variable stack is a sequence of four- 
tuples determining the contents of the spine. In the next 
line, restoredl_istR(stack, t) describes what the contents 
of the spine should be after the links have been restored, 
and spansR(STree, root) asserts that the abstract structure 
STree is a spanning tree of the heap. 

The assertion spansR(STree, root) also appears in the 
precondition of the algorithm. Thus, the second and third 
lines of the invariant use separating implication elegantly to 
assert that, if the spine is correctly restored, then the heap 
will have the same spanning tree as it had initially. (In fact, 
the proof goes through if spansR(STree, root) is any predi- 
cate that is independent of the boolean fields in the records; 
spanning trees are used only because they are enough to de- 
termined the heap, except for the boolean fields.) To the 
author's knowledge, this part of the invariant is the only 
conceptual use of separating implication in a real proof (as 
opposed to its formal use in expressing weakest precondi- 
tions). 

In the rest of the invariant, the heap is partitioned into 
marked and unmarked records, and it is asserted that ev- 
ery active unmarked record can be reached from the vari- 
able t or from certain fields in the spine. However, since 
this assertion lies within the right operand of the separat- 
ing conjunction that separates marked and unmarked notes, 
the paths by which the unmarked records are reached must 
consist of unmarked records. Anyone (such as the author 
[27, Section 5.1]) who has tried to verify this kind of graph 
traversal, even informally, will appreciate the extraordinary 
succinctness of the last two lines of Yang's invariant. 

9. Computability and Complexity Results 

The existence of weakest preconditions for each of our 
new commands assures us that a central property of Hoare 
logic is preserved by our extension: that a program spec- 
ification annotated with loop invariants and recursion hy- 
potheses (and, for total correctness, variants) can be reduced 



to a collection of assertions, called verification conditions, 
whose validity will insure the original specification. Thus 
the central question for computability and complexity is to 
decide the validity of assertions in separation logic. 

Yang [8, 34] has examined the decidability of classical 
separation logic without arithmetic (where expressions are 
variables, values are addresses or nil, and the heap maps ad- 
dresses into two-field records). He showed that, even when 
the characteristic operations of separation logic (emp, i— >, 
* , and — *, but not are prohibited, deciding the validity 
of an assertion is not recursively enumerable. (As a con- 
sequence, we cannot hope to find an axiomatic description 
of i— >.) On the other hand, Yang and Calcagno showed that 
if the characteristic operations are permitted but quantifiers 
are prohibited, then the validity of assertions is algorithmi- 
cally decidable. 

For the latter case, Calcagno and Yang [8] have investi- 
gated complexity. Specifically, for the languages tabulated 
below they considered 



MC The model checking problem: Does 
a specified state {s,h)l 

VALThe validity problem: Does [p] as] 
states (s,h)l 



,sh hold for 



,sh hold for all 



In each case, they determined that the problem was com- 
plete for the indicated complexity class: 



Language 



MC VAL 



L 


P: 


:=E^ E,E\->E^-,- 
| E = E | E ^ E | false 
\Pf\P\PVP \ emp 


P coNP 


C* 


P: 


:=£ | P * P 


np nP 


cr* 


P: 


:=C\->P | P * P 


PSPACE 


£-* 


P: 


:=£ \P-*P 


PSPACE 




P: 


:=£ \ ^P\P*P\P-*P 


PSPACE 



10. Garbage Collection 

Since our logic permits programs to use unrestricted ad- 
dress arithmetic, there is little hope of constructing any 
general-purpose garbage collector. On the other hand, the 
situation for the older logic, in which addresses are disjoint 
from integers, is more hopeful. However, it is clear that this 
logic permits one to make assertions, such as "The heap 
contains two elements" that might be falsified by the exe- 
cution of a garbage collector, even though, in any realistic 
sense, such an execution is unobservable. 

The present author [28] has given the following example 



(shown here as a proof outline): 
{true} 

x := cons(3, 4) ; 

{x^3,4} 

{3x. x-^3,4} 

x := nil 

{3x. x-^3,4}, 

where the final assertion describes a disconnected piece of 
structure, and would be falsified if the disconnected piece 
were reclaimed by a garbage collector. In this case, the as- 
sertions are all intuitionistic, and indeed it is hard to con- 
coct a reasonable program logic that would prohibit such a 
derivation. 

Calcagno, O'Hearn, and Bornat [7, 6, 5, 4] have explored 
ways of avoiding this problem by defining the existential 
quantifier in a nonstandard way, and have defined a rich 
variety of logics that are insensitive to garbage collection. 
Unfortunately, there is no brief way of relating these logics 
to those discussed in this paper. 

11. Future Directions 
11.1. New Forms of Inference 

In Yang's proof of the Schorr-Waite algorithm, there are 
thirteen assertions that have been semantically validated but 
do not seem to be consequences of known inference rules, 
and are far too specific to be considered axioms. This sur- 
prising state of affairs is likely a consequence of the novel 
character of the proof itself — especially the quantification 
over all allocated addresses, and the crucial use of sepa- 
rating implication — as well as the fact that the algorithm 
deals with sharing in a more fundamental way than others 
that have been studied with separation logic. 

The generalization of such assertions may be a fertile 
source of new inference rules. For example, suppose p is 
intuitionistic, and let p be Vx. allocated(x) => p. Then 

emp => p 

(3x. (x i ^ -,-)Ap)^p 
(p * p) => p. 

For a more elaborate example, suppose we say that two 
assertions are immiscible if they cannot both hold for over- 
lapping heaps. More precisely, p and q are immiscible iff, 
for all stores s and heaps h and hi such that h U hi is a 
function, if [p] asrt s/i and [[<7]] asrt s/i' then h _L hi. 

On the one hand, it is easy to find immiscible assertions: 
If p and q are intuitionistic and p A q =>■ false is valid, then 

Vx. allocated(x) =^p and Vx. allocated(x) q 



are immiscible. Moreover, if p' and q' are immiscible and 
p^p' and q => q' are valid, then p and q are immiscible. 
On the other hand, if p and q are immiscible, then 

(p * true) A (q * r) => q * ((p * true) A r) 

is valid. 

Both of these examples are sound, and useful for at least 
one proof of a specification of a real program. But they 
may well be special cases of more generally useful rules or 
other inference mechanisms. O'Hearn suspects that there 
are good prospects to find a useful proof theory for separa- 
tion logic using "labeled deduction" [13, 14]. 

It should also be noted that Yang's proof depends criti- 
cally on the fact that the Schorr-Waite algorithm performs 
an in-place computation. New problems may arise in trying 
to prove, say, a program that copies a reachable structure 
while preserving its sharing patterns — somehow, one must 
express the isomorphism between the structure and its copy. 

Beyond these particulars, in its present state separation 
logic is not only theoretically incomplete, but pragmatically 
incomplete: As it is applied in new ways, there will be a 
need for new kinds of inference. 

11.2. Taming Address Arithmetic 

When we first realized that separation logic could be 
generalized and simplified by permitting address arithmetic, 
it seemed an unalloyed benefit. But there are problems. For 
example, consider the definition of dag given in Section 6: 
The assertion dag ((1 • 2) • (2 • 3)) (i) holds in states where 
two distinct records overlap, e.g. 



o- 
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o- 
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Similarly, iff one were to try to recast the Schorr-Waite 
proof in the logic with address arithmetic, it would be dif- 
ficult (but necessary) to assert that distinct records do not 
overlap, and that all address values in the program denote 
the first fields of records. 

These problems, of what might be called skewed sharing, 
become even more difficult when there are several types of 
records, with differing lengths and field types. 

A possible solution may be to augment states with a map- 
ping from the domain of the heap into "attributes" that could 
be set by the program, described by assertions, and perhaps 
tested to determine whether to abort. These attributes would 
be similar to auxiliary variables (in the sense of Owicki and 
Gries [25]), in that their values could not influence the val- 
ues of nonauxiliary variables or heap cells, nor the flow of 
control. 



To redefine dag to avoid skewed sharing, one could, at 
each allocation x := cons(ei, e 2 ) that creates a record in a 
dag, give x (but not x + 1) the attribute dag-record. Then 
the definition of a non-atomic dag would be changed to 

dag (n • t 2 ) (i) iff is-dag-record(i) A 

3i!,i 2 . i^h,i2 * (dagri (ii) Adagr 2 (i 2 ))- 

In a version of the Schorr- Waite proof using address 
arithmetic, one might give the attribute record to the ad- 
dress of the beginning of each record. Then one would add 

Vx. is-record(x) => 31, r, c, m. x I, r, c, m 

A (is-record(l) V I = nil) A (is-record(r) V r = nil) 
A is-boolean(c) A is-boolean(m) 

to the invariant, and use the assertion is-record(a;) in place 
of allocated(;r). 

There is a distinct flavor of types in this use of attributes: 
The attributes record information, for purposes of proof, 
that in a typed programming language would be checked 
by the compiler and discarded before runtime. An alterna- 
tive, of course, would be to move to a typed programming 
language, but our goal is to keep the programming language 
low-level and, for simplicity and flexibility, to use the proof 
system to replace types rather than supplement them. 

11.3. Concurrency 

In the 1970's, Hoare and Brinch Hansen argued persua- 
sively that, to prevent data races where two processes at- 
tempt to access the same storage without synchronization, 
concurrent programs should be syntactically restricted to 
limit process interference to explicitly indicated critical re- 
gions. In the presence of shared mutable structures, how- 
ever, processes can interfere in ways too subtle to be de- 
tected syntactically. 

On the other hand, when one turns to program verifica- 
tion, it is clear that separation logic can specify the absence 
of interference. In the simplest situation, the concurrent ex- 
ecution ci || c 2 of two processes that do not interfere with 
one another is described by the inference rule 

{Pi} ci {gi} {p 2 } c 2 {g 2 } 
{pi * P2} ci || c 2 {gi * q 2 }, 

where no variable free inpi or qi is modified by c 2 , or vice- 
versa. 

Going beyond this trivial case, O'Hearn [22, 21] has ex- 
tended the Hoare-like logic for concurrency devised by Ow- 
icki and Gries [25] (which is in turn an extension of work 
by Hoare [18]), to treat critical regions in the framework of 
separation logic. 



The basic idea is that, just as program variables are syn- 
tactically partitioned into groups owned by different pro- 
cesses and resources, so the heap should be similarly par- 
titioned by separating conjunctions in the proof of the pro- 
gram. The most interesting aspect is that the partition of 
the heap can be changed by executing critical regions as- 
sociated with resources, so that ownership of a particular 
address can move from a process to a resource and from 
there to another process. 

Thus, for example, one process may allocate addresses 
and place them in a buffer, while another process removes 
the addresses from the buffer and deallocates them. Simi- 
larly, in a concurrent version of quicksort, an array segment 
might be divided between two concurrent recursive calls, 
and reunited afterwards. 

Unfortunately, at this writing there is no proof that 
O'Hearn's inference rules are sound. The difficulty is that, 
in O'Hearn's words, "Ownership is in the eye of the as- 
serter", i.e., the changing partitions of the heap are not de- 
termined by the program itself, but only by the assertions in 
its proof. 

In concurrent programming, it is common to permit sev- 
eral processes to read the same variable, as long as no pro- 
cess can modify its value simultaneously. It would be natu- 
ral and useful to extend this notion of passivity to heap cells, 
so that the specification of a process might indicate that a 
portion of the heap is evaluated but never mutated, allocated 
or deallocated by the process. (This capability would also 
provide an alternative way to specify the action of copy tree 
on dags discussed in Section 6.) Semantically, this would 
likely require activity bits to take on a third, intermediate 
value of "read-only". 

Concurrency often changes the focus from terminating 
programs to programs that usefully run on forever — for 
which Hoare logic is of limited usefulness. For such pro- 
grams, it might be helpful to extend temporal logic with 
separating operators. 

11.4. Storage Allocation 

Since separation logic describes a programming lan- 
guage with explicit allocation and deallocation of storage, 
without any behind-the-scenes garbage collector, it should 
be suitable for reasoning about allocation methods them- 
selves. 

A challenging example is the use of regions, in the sense 
of Tofte et al [31]. To provided an explicitly programmable 
region facility, one must program an allocator and dealloca- 
tor for regions of storage, each of which is equipped with its 
own allocator and deallocator. Then one must prove that the 
program using these routines never deallocates a region un- 
less it is safe to deallocate all storage that has been allocated 
from that region. 



Although separation logic is incompatible with general- 
purpose garbage collection (at least when unrestricted ad- 
dress arithmetic is permitted), it should be possible to con- 
struct and verify a garbage collector for a specific program. 
In this situation, one should be able to be far more aggres- 
sive than would be possible for a general-purpose garbage 
collector, both in recovering storage, and in minimizing the 
extra data needed to guide the traversal of active structure. 
For example, for the representation described by dag in Sec- 
tion 6, it would be permissible for the collector to increase 
the amount of sharing. 

The key here is that a correct garbage collector need only 
maintain the assertion that must hold at the point where the 
collector is called, while preserving the value of certain in- 
put variables that determine the abstract values being com- 
puted. (In addition, for total correctness, the collector must 
not increase the value of the loop variants that insure termi- 
nation.) For instance, in the list-reversal example in Section 
5, a collector called at the end of the while body would be 
required to maintain the invariant 

3a, (3. (list a (i, nil) * list (3 (j, nil)) A a\ = 

while preserving the abstract input a 0 , and not increasing 
the variant, which is the length of a. 

It is interesting to note that the garbage collector is re- 
quired to respect the partial equivalence relation determined 
by the invariant, in which two states are equivalent when 
they both satisfy the invariant and specify the same values 
of the input variables. Considering the use of partial equiv- 
alence relations to give semantics to types, this reinforces 
the view that types and assertions are semantically similar. 

11.5. The Relationship to Type Systems 

Although types and assertions may be semantically sim- 
ilar, the actual development of type systems for program- 
ming languages has been quite separate from the develop- 
ment of approaches to specification such as Hoare logic, re- 
finement calculi, or model checking. In particular, the idea 
that states have types, and that executing a command may 
change the type of a state, has only taken hold recently, in 
the study of type systems for low-level languages, such as 
the alias types devised by Walker and Morrisett [32]. 

Separation logic is closely related to such type systems. 
Indeed, their commonality can be captured roughly by a 
simple type system: 

(value type) :: = integer | (address variable) 

(store type) ::= 

(variable) : (value type) , . . . , (variable) : (value type) 



(heap type) ::= emp 

| (address variable) i— > (value type) , . . . , (value type) 
| (heap type) * (heap type) 

(state type) ::= (store type) ; (heap type) 

It is straightforward to translate state types in this system 
into assertions of classical separation logic (in the formula- 
tion without address arithmetic) or into alias types. 

It may well be possible to devise a richer type system that 
accommodates a limited degree of address arithmetic, per- 
mitting, for example, addresses that point into the interior 
of records, or relative addresses. 

Basically, however, the real question is whether the di- 
viding line between types and assertions can be erased. 

11.6. Embedded Code Pointers 

Even as a low-level language, the simple imperative lan- 
guage axiomatized by Hoare is deficient in making no pro- 
vision for the occurrence in data structures of addresses that 
refer to machine code. Such code pointers appear in the 
compiled translation of programs in higher-order languages 
such as Scheme or SML, or object-oriented languages such 
as Java or CjJ. Moreover, they also appear in low-level 
programs that use the techniques of higher-order or object- 
oriented programming. 

Yet they are difficult to describe in the first-order world 
of Hoare logic; to deal with embedded code pointers, we 
must free separation logic from both Hoare logic and the 
simple imperative language. Evidence of where to go 
comes from the recent success of type theorists in extend- 
ing types to machine language (in particular to the output 
of compilers) [20, 32]. They have found that a higher-order 
functional language (with side-effects) comes to resemble a 
low-order machine language when two restrictions are im- 
posed: 

• Continuation-passing style (CPS) is used, so that func- 
tions receive their return addresses in the same way as 
they receive other parameters. 

• Free variables are prohibited in expressions that denote 
functions, so that functions can be represented by code 
pointers, rather than by closures that pair code pointers 
with data. 

In fact, this restricted language is formally similar to an im- 
perative language in which programs are "flat", i.e., control 
paths never come together except by jumping to a common 
label. 

This raises the question of how to marry separation logic 
with CPS (with or without the prohibition of free variables 
in function expressions, which appears to be irrelevant from 
a logical point of view). 



A simple example of CPS is provided by the function 
append(x, y, r), which appends the list x to the list y (with- 
out mutation, so that the input lists are unchanged), and 
passes the resulting list on to the continuation r: 

letrec append (x, y, r) = if x = nil then r(y) else 
let a = [x], b = [x+ 1], 

k(z) = let w = cons(a, z) in r(w) 
in append(b, y, k). 

We believe that the key to specifying such a CPS pro- 
gram is to introduce a reflection operator # that allows CPS 
terms to occur within assertions (in a manner reminiscent 
of dynamic logic [15]). Specifically, if t is a CPS term then 
# t is an assertion that holds for a state if t never aborts 
when executed in that state — in this situation we say that 
it is safe to execute t in that state. 

Suppose c is a command satisfying the Hoare specifica- 
tion {p} c {q}, and t is a CPS term such that executing t has 
the same effect as executing c and then calling the continu- 
ation r(xi, ...x n ). Then we can specify t by the assertion 

0 * (Vx 1 ,...,x m . q ^* # r(xi, . . . ,x n ))) => #t 

(where x\, . . . , x m is a subset of the variables x\, . . . , x n ). 
If we ignore the difference between the separating operators 
and ordinary conjunction and implication, this asserts that it 
is safe to execute t in any state satisfying p and mapping r 
into a procedure such that it is safe to execute r(x±, ...,i„) 
in a state satisfying q. Taking into account the separative 
nature of * and -*, it asserts that it is safe to execute t in 
any state where part of the heap satisfies p, and r is mapped 
into a procedure such that it is safe to execute r(x\, ...,x n ) 
when the part of the heap that satisfied p is replaced by a part 
that satisfies q. Finally, the universal quantifier indicates 
the variables whose value may be changed by t before it 
executes r(x\, ...,x n ). 

For example, the CPS form of append can be specified 

by 

((list a (x, nil) * list (3 (y, nil)) 

* (Vz. (list a (x, nil) * list a (z, y) * list (3 (y, nil)) 

-*#r(z))) 
^#append(x,y, r). 



It can be discouraging to go back and read the "future 
directions" sections of old papers, and to realize how few of 
the future directions have been successfully pursued. It will 
be fortunate if half of the ideas and suggestions in this sec- 
tion bear fruit. In the meantime, however, the field is young, 
the game's afoot, and the possibilities are tantalizing. 
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